ClamXav Support

[Radar1968]

All,

Can anyone explain why the Evas!on iOS jailbreak tools are now on the Clamav virus signature list?

I downloaded (but did not touch or open - have now deleted) the original v1.0 on 4th Feb and this did not get flagged by ClamXav.
I downloaded (but did not touch or open - have now deleted) v1.1 today and this has been flagged by ClamXav.

I'm guessing there's a reason for this now? I'm also guessing it's not because it's actually a virus, otherwise the net would be flooded with reports. I've seen similar flags in the PC world related to hacking tools or programs that could potentially be use to gain access to machines - not viruses as such just warnings that they are present in case you were unaware.

If I only downloaded the DMG file then deleted it without opening all is well anyway I presume.

I'm just interested in more information when ClamXav sounds the alarm - something it has never done on a file before only the old phishing email.

Regards

Radar1968

[alvarnell]

Can anyone explain why the Evas!on iOS jailbreak tools are now on the Clamav virus signature list?

I can explain how it got there, but not really why.

Several users have uploaded it to VirusTotal since Monday and one of the ClamAV signature writers chose to write a signature for it. Last time I checked, clamav was the only one of over fourty scanners to consider it to be malware.

I've been discussing this with several colleagues since it showed up on Tuesday and we all agree that it isn't malware.

The only way to get it removed is if someone submits it to ClamAV as a False Positive and see what they will do about it.

[Radar1968]

Thanks for the prompt response.

I think I basically knew it wasn't a virus or malware or a threat of any sort (though what a way to introduce one!) but wanted some sort of clarification especially as it suddenly got flagged between versions.

I didn't open it (chickened out when 6.1.1 iOS dev release was announced) and binned straight away so not concerned at all - unless I should be of course?

Running a full scan now anyway and Sentry is checking my browser caches so websites are clean as no alerts there.

Regards
Radar1968

[alvarnell]

I ended up with some unexpected time to submit it and follow up with the ClamAV folks. I'm sure the discussion will go on for awhile, but they suggested I read this Forbes account of how the app works.

My first reaction is that at worst this is an iOS exploit and not at all an OSX threat as the name would have you believe. Even then, does it really exploit iOS to cause the user harm or does it do exactly what the user intended to do? I doubt anybody except the developer cares how it was done and unless these same vulnerabilities are being used to deliver actual iOS malware, does it really need to be detected?

I guess it could be judged as a pro-active step by ClamAV for an application that could be used to deliver iOS malware, but I think that's a stretch.

I need to do some more checking to see if there are any other signatures around that are jailbreaks, but I suspect they are setting a precedent here.

[Radar1968]

Hi,

This has taken a worrying turn after I scan my entire machine as 5 more occurrences of Osx.Exploit.Iosjailbreak have show up in 5 files that were never 'infected' before.

So we have 2 scenerios here I believe :-

i) It is a virus and has spread to other files even though I only downloaded the file and didn't open it.
ii) It's signature is showing up as a false positive elsewhere.

Either way its got me rattled. Here are the files :-

GarageBuy_2.1.5.dmg: Osx.Exploit.Iosjailbreak FOUND
mac_pilot_lite.dmg: Osx.Exploit.Iosjailbreak FOUND
mac_pilot.dmg: Osx.Exploit.Iosjailbreak FOUND
mac_pilot4.3.2.dmg: Osx.Exploit.Iosjailbreak FOUND
~/Library/Application Support/Google/Chrome/Default/File System/000/t/00/00000000: Osx.Exploit.Iosjailbreak FOUND

Now the 4 files are old ones, certainly not accessed recently and the final one is obviously part of Chrome.

So my panicing question here is should I wait and see what gives or should I, as I'm planning, go back to my system image from the 29th Jan that I know is clean?

The IT part of me says it's a false positive, the human side says its a problem and go back.

Regards
Radar1968

[infinitesimal]

I have detected 'Osx.Exploit.Iosjailbreak' in about a dozen places on my various machines and drives. It's always present as a zip or dmg file. I recently purchased a software bundle from Koingo, including the latest version of MacPilot. Unfortunately, I installed MacPilot, but none of the others. All 5 of the application dmg's downloaded from Koingo's server were infected. I went back to Koing's server an hour ago and downloaded one of the dmg's. ClamXAV snagged it immediately as contaminated. This means that Koingo's servers are spreading this thing everywhere. I submitted a help ticket to that effect, but lord knows if they'll read it or do anything. They might just do nothing just to keep things quiet. Is there any dedicated site or blog where alerts of this nature can be posted, so that broadcasting the alert forces infected sites to correct the problem?

[alvarnell]

GarageBuy_2.1.5.dmg: Osx.Exploit.Iosjailbreak FOUND
mac_pilot_lite.dmg: Osx.Exploit.Iosjailbreak FOUND
mac_pilot.dmg: Osx.Exploit.Iosjailbreak FOUND
mac_pilot4.3.2.dmg: Osx.Exploit.Iosjailbreak FOUND
~/Library/Application Support/Google/Chrome/Default/File System/000/t/00/00000000: Osx.Exploit.Iosjailbreak FOUND

Don't panic, I've found another user with similar results and I suspect after I scan mine I'll find some more. They are false positives.

Please go to http://www.clamav.net/sendvirus/ and use the "Send a false positive report" to upload the first two files (daily limit they impose). I will be posting a couple myself and let the ClamAV folks know what's going on.

[alvarnell]

I have detected 'Osx.Exploit.Iosjailbreak' in about a dozen places on my various machines and drives.

I'm certain they are all false positives since even the target file is not capable of impacting OS X.

Submit two of your files that are different from the ones Radar1968 found to the site referenced in my last reply.

I just started my scan and have hit one (AirRadar) immediately.

[Radar1968]

Hi,

This is all sounding very positive and I'm relaxing a little.

When I get home I'll send the files off and conduct a quick test.

I have a number of backup copies of those files, most recently from the 29th Jan on a backup disk. This disk has never been near the jailbreak file and therefore is guaranteed clean. In fact the drive was last used BEFORE the jailbreak tool was released. Using my other Mac I'll copy the files off to a USB stick and then scan on the Mac picking up the problem. If they are reflagged as containing the exploit then I'll know 100% that they are false positives.

Thanks for your continued help.

Regards
Radar1968

[Radar1968]

OK, so I have conducted my tests and am pretty certain its an FP.

I copied the files from my backup drive of the 29th Jan to a fresh machine with ClamXav installed. This fresh machine has NEVER been near the evas1on site or code.
Sentry immediately identified the files as the jailbreak exploit.

So I have deleted all these files off my 'problem' machine as they are old anyway and have reset Chrome which flushed the other file.

Am rerunning a scan now to see what gives.

[alvarnell]

OK, so I have conducted my tests and am pretty certain its an FP.

Thanks, but what I really need is for you to submit a couple of those files to ClamAV, otherwise this will continue to be a problem for users.

[Radar1968]

Apologies didn't mention I'd done that as well.

[Radar1968]

Just finished another full scan of my machine and happy to report nothing more has shown up.

Happy to leave this now until a solution and / or statement re the signatures etc is forthcoming.

[Radar1968]

Wondered if anyone had heard anything re this 'false positive' ?

Not sure whether its been removed or acknowledged or anything.

[alvarnell]

I received an acknowledgement that the two I uploaded had been received and passed on to the signature team.

EDIT: Just checked e-mail and received this word from ClamAV:

This signature was dropped a couple days ago, and beyond that, users can ignore it on their end.